1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Homepage Hijack, unwanted destop shortcuts

Discussion in 'Virus & Other Malware Removal' started by batmanpasta, Apr 6, 2004.

Thread Status:
Not open for further replies.
  1. batmanpasta

    batmanpasta Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    2
    My IE home page has been reset to motor-search.info. In addition to the home page, some desktop shortcuts also keep showing up after deletion and re-boot. I have ad-aware and spybot installed on my machine. I have run the most recent versions of both, but the problem has not been fixed.

    Running Win XP home.

    Any help or suggestions would be greatly appreciated. Thanks.
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Welcome to TSG

    You got CSW

    On AdAware and Spybot check to see if you have the same settings if not change and than run them again

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    CWshredder from http://www.thespykiller.co.uk/

    Spybot - Search & Destroy from http://security.kolla.de

    AdAware 6 from http://www.lavasoft.de/software/adaware/

    then
    Run CWSHREDDER,

    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
    and make sure you have all Microsoftsecurity updates

    then reboot &

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    o to http://www.merijn.org/files/HijackThis.exe and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log (in the security section)
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    If Merijn.org is still down due to the DDOS attack on it, the alternative download sites for Hijackthis are:
    http://www.oneknight.co.uk
    http://www.sherrylynn.us/HijackThis.exe
    http://mjc1.com/mirror/hjt/
    http://www.majorgeeks.com/downloads31.html
    http://www.spywareinfo.com/~merijn/downloads.html


    then post a hijackthis log to check what is left
     
  3. batmanpasta

    batmanpasta Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    2
    Thanks for your help so far. My home page is back and the shortcuts are gone. Here it is:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:26:51 PM, on 4/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\Program Files\Utilities\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\PROGRA~1\UTILIT~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Documents and Settings\futurshop\My Downloads\Highjack\HighjackThis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\UTILIT~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Utilities\Hmonitor\hmonitor.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Utilities\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.4665625
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217642

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice